Smart Card Firms Challenge US on RFID

The Smart Card Alliance has come out against a decision by the US goverment to use Gen2 technology in its passport card initiative. The SCA issued an official statement earlier this week laying out an argument for why RFID technology based on an existing smart card standard, and not Gen2, is preferable for the program.

December 6, 2006—The Smart Card Alliance has come out against a decision by the US Department of State to use Gen2 technology in its passport card initiative. The SCA, a cross-industry association whose members include many of the leading global technology firms that participate in the smart card industry, issued an official statement earlier this week laying out an argument for why RFID technology based on ISO/IEC 14443, a smart card standard, and not Gen2, a supply chain standard, is preferable for the program.

The US government's passport card program is not to be confused with the ePassport initiative. The card program is a component of the Western Hemisphere Travel Initiative that aims to offer a passport alternative to US citizens reentering the country from Canada, Mexico, and Caribbean nations beginning in June 2009, after which all US citizens must present proof of identity and citizenship to be allowed reentry. Since only 25 percent of US citizens currently hold passports, the passport cards would offer an alternative when the new regulations come into effect in 2009.

In mid-October, the US State Department announced that it had selected what it calls "vicinity read" RFID technology to be used in the passport cards. Vicinity read RFID is based on the ISO/IEC 18000-6, Type C standard, better known as Gen2. Gen2 and ISO/IEC 18000-6, Type C are essentially the same technology; ISO/IEC 18000-6, Type C was the result of ISO's integration of Gen2 into its passive RFID standard (see ISO Incorporates Gen2 into RFID Standard).

The SCA argues that Gen2 technology is ideal for supply chain environments but hardly suitable for the passport card initiative. In its response, the association enumerates and expounds upon a handful of reasons why a different standard -- namely, ISO/IEC 14443 -- should be used. Chief among those reasons is Gen2's weaker security safeguards, which SCA says do not "allow border officials to verify that the passport card is authentic and to protect the information that is on the card." This vulnerability will quickly become evident to the public, argues SCA, thus exacerbating the situation by citizens' likely distrust of the technology. RFID is already a target of computer security academics, professionals, and hackers alike, who have grabbed headlines over the last couple years with (oftentimes dubious) assertions and demonstrations of security weaknesses in the technology.

ISO/IEC 14443 advocated by the SCA is already the widely-accepted standard for smart card and identity applications, applications for which security has always been a key consideration. In fact, it is this very standard which the US government chose for the ePassport initiative, an important point not only because it demonstrates a precedent for using ISO/IEC 14443 in US passport applications, but also because aligning behind one standard would allow ePassports and passport cards to share the same hardware infrastructure. If the US government insists on moving forward with Gen2 for the passport card, additional infrastructure will have to be deployed beyond that which is already necessary for ePassports.

To be clear, the SCA is in no way anti-Gen2. Indeed, many of its members are major players in the supply chain RFID market, including Zebra Technologies, Texas Instruments, STMicroelectronics, VeriSign, and NXP (formerly Philips Semiconductors). Its message is simply that in this instance Gen2 is not the appropriate choice, developed as it was for deployment in the global supply chain, where tag data is not as sensitive and security requirements not as rigorous as in personal identification applications. As Texas Instruments' director of eDocuments Tres Wiley said in a statement, "The vicinity technology being proposed by the US government was not intended or designed for sensitive ID applications such as the ... passport card; secure proximity technology, like that in the new ePassport, was designed expressly for that purpose."